We are now, more than ever, exposed to increasing numbers of business risks that threaten our very existence. As a result business owners are having to put risk management, normally a mundane topic, to the forefront of their minds.
What is Risk Management?
Risk Management is the process of identifying and reducing potential risk to your business. There are 7 types of risk a business faces - physical risk, strategic risk, compliance risk, operational risk, technology risk, financial risk and reputation risk. You need to consider all of these areas and create a list of risks in a Risk Register. Examples of risk are, flood, fire, theft, cyber attack, recession and, of course, pandemic!
Once you've identified the risks, you need to calculate both the likelihood of these threats being realised and their potential impact.
Risk Rating = Probability x Impact
You would typically assign a value to 0-10 with some narrative around
the values, so that the maximum Risk Rating is 100, which would be
total business shutdown. You will the need record these on your Risk
Register against each risk and begin thinking about how to manage each
How Do You Manage Risk?
The first step is to agree a Risk Acceptance level (e.g, Risk Rating < 50). Once this is agreed you can focus on the risks left above this rating and look at ways to reduce or remove these risk.
Firstly, it may be possible to remove the risk completely by stopping the process or function that creates the risk in the first place (if operationally feasible).
If it's not possible to avoid the risk, it may be possible to reduce
the risk by introducing additional controls internally or by working
with an outsourcing partner, such as Lemon, who can pick up workload if
your business operation was impacted by a risk becoming a reality.
Lastly, if you can't avoid or reduce the risk, then you will have to make a business decision to accept the risk.
You will need to add a Risk Treatment section to your Risk Register,
to record the decisions you make. This is where you will re-evaluate the
risk to the business now that you have the controls in place - in
theory each risk rating should now be below your risk acceptance level,
otherwise you need to either accept the risk to the business or put in
As a result of this process you will end up with a Risk Register that lists all known risks to your business, grades the level of risk (Risk Assessment) and then identifies controls that you have put in place to lower the risk to an acceptable level (Risk Treatment Plan). This should be then reviewed annually or when their is significant change to the business.
Why should I bother?
By making Risk Management an integral part of your business mode of operation, you will be far more resilient and likely to survive in the event that things were to go wrong and this work can go on to form a key part of your overall Business Continuity planning.